Detect Malicious Link in Elastic Security
Adversaries may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from spearphishing links delivered via email, messaging platforms, or social media. Clicking on a link may lead to exploitation of a browser or application vulnerability, or direct download of a file requiring execution. Threat actors including FIN7, Kimsuky, QakBot, Bazar, and Mustang Panda have all leveraged malicious links as initial access vectors, often hosting payloads on legitimate cloud services such as Google Docs, OneDrive, or Dropbox to evade reputation-based filtering.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.001 Malicious Link
- Canonical reference
- https://attack.mitre.org/techniques/T1204/001/
Elastic Detection Query
sequence by host.id with maxspan=30s
[process where event.type == "start" and
process.parent.name in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "vivaldi.exe", "browser.exe") and
process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msiexec.exe", "wmic.exe", "msbuild.exe", "csc.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "odbcconf.exe", "forfiles.exe", "pcalua.exe")] as e1
[any where event.type in ("start", "creation") and
(
(event.category == "process" and
(
(process.args : ("-enc", "-EncodedCommand")) or
(process.args : ("Invoke-WebRequest", "Net.WebClient", "DownloadFile", "DownloadString", "IEX", "Invoke-Expression")) or
(process.name in~ ("wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe"))
)
) or
(event.category == "file" and
file.path : ("*\\Downloads\\*.exe", "*\\Downloads\\*.dll", "*\\Downloads\\*.js", "*\\Downloads\\*.vbs", "*\\Downloads\\*.hta", "*\\Downloads\\*.ps1", "*\\Downloads\\*.iso", "*\\AppData\\Local\\Temp\\*.exe", "*\\AppData\\Local\\Temp\\*.dll", "*\\Users\\Public\\*.exe"))
)
]Detects malicious link execution (T1204.001) by identifying browsers spawning suspicious child processes or dropping executable/script files to common staging directories. Uses EQL sequence correlation to link browser parent context to follow-on execution or file creation events within a 30-second window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate browser extensions or update mechanisms that spawn helper processes such as Chrome's update service (GoogleUpdate.exe) or Firefox's crash reporter may appear as browser-spawned child processes.
- Developer workflows where a browser launches a local development server script or test runner via a link (e.g., clicking a localhost debug link that triggers a PowerShell or Node.js process).
- Enterprise software deployments using ClickOnce or MSIX packaging that involve msiexec.exe or rundll32.exe being launched through a browser download or link click.
Other platforms for T1204.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Spawning PowerShell via URI Handler (Simulated)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-ExecutionPolicy Bypass -WindowStyle Hidden'. Sysmon Event ID 11: File Create for %TEMP%\malicious-link-test.txt. Security Event ID 4688 (if command line auditing enabled) showing powershell.exe creation.
- Test 2Malicious Link File Drop Simulation — Executable in Downloads
Expected signal: Sysmon Event ID 11: File Create with TargetFilename ending in Downloads\Invoice_March2026.exe. DeviceFileEvents (MDE) will show file creation in the Downloads directory. The Zone.Identifier ADS will NOT be present since the file is copied rather than downloaded — in a real scenario the browser would attach ZoneId=3.
- Test 3wscript.exe Execution of Remote-Hosted VBScript (Simulated Link Click)
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_payload.vbs. Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the .vbs path. Security Event ID 4688 for wscript.exe creation. If launched from a browser parent, the parent-child relationship is recorded in ParentImage.
- Test 4mshta.exe LOLBin Execution via Simulated Browser Spawn
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\link_test.hta. Sysmon Event ID 1: Process Create with Image=mshta.exe and CommandLine referencing the .hta path. If the HTA makes network connections, Sysmon Event ID 3 will record them. Security Event ID 4688 for mshta.exe.
- Test 5ISO/IMG Mount and Execute — Malicious Link File Delivery
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Shell.Application COM object instantiation in command line. Sysmon Event ID 11: File Create for marker file. In a real ISO execution scenario, Sysmon Event ID 1 would show the process launched from a drive letter (e.g., E:\payload.exe) with no Zone.Identifier, distinguishing it from standard Downloads executions.
References (12)
- https://attack.mitre.org/techniques/T1204/001/
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
- https://blog.cybereason.com/operation-gozi-the-shadow-war-against-the-public-sector
- https://www.zscaler.com/blogs/security-research/bazar-drops-the-anchor
- https://securityintelligence.com/posts/grandoreiro-how-engorged-can-an-exe-get/
- https://www.malwarebytes.com/blog/threat-intelligence/2021/02/lazyscripter-from-empire-to-double-rat
- https://www.trendmicro.com/en_us/research/21/h/confucius-apt-deploys-romcom-to-attack-ukraine.html
- https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.001/T1204.001.md
- https://www.sans.org/blog/ms-office-files-are-still-a-top-malware-delivery-mechanism/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204.001 including response playbook, investigation guide, and atomic red team tests.